An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory.